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Project  Summary 

This  task  represents  an  initial  part  of  a  long  term  project  aimed  at  making  both  theo¬ 
retical  and  practical  advances  in  the  field  of  formal  reasoning.  The  main  goal  is  to  provide 
a  framework  for  designing  and  experimenting  with  symbol  manipulation  programs,  and  in 
particular,  to  provide  a  general  software  architecture  for  implementing  formal  reasoning 
systems  and  interfaces  to  existing  software  components  including  special  purpose  theorem 
provers,  program  transformers,  and  databases.  The  kernel  will  be  a  computation  system 
that  supports  a  rich  collection  of  data  structures  for  formal  reasoning,  a  wide  spectrum  of 
programming  paradigms  including  both  high-level  and  low  level  constructs,  and  objects  as 
self  contained  entities  that  may  be  used  uniformly  and  independently  of  internal  represen¬ 
tation. 


1.  Kernel  data  structures 

In  [3,  2]  we  report  recent  work  on  a  theory  of  binding  structures.  Binding  struc¬ 
tures  enrich  traditional  abstract  syntax  trees  by  providing  support  for  representing  binding 
mechanisms  and  structures  with  holes..  The  goal  of  this  work  is  to  establish  a  common 
core  for  building  tools  such  as  theorem  provers,  transformers,  static  analyzers,  evaluators, 
rewriters,  etc.  that  manipulate  symbolic  structures.  Binding  structures  solve  problems  of 
variable  name  conflict  and  renaming,  and  provide  a  means  for  manipulating  occurrences  of 
structures.  They  incorporate  the  notion  of  syntactic  context.  This  allows  for  expression  of 
schemata  within  the  language  rather  than  as  meta-expressions.  Filling  holes  is  a  mechanism 
for  capturing  free  variables,  in  contrast  to  substitution  for  free  variables,  which  avoids  cap¬ 
ture.  Binding  structures  provide  a  basis  for  sharing  a  wide  range  of  data  structures  among 
program  manipulation  and  mechanized  reasoning  programs.  These  include  not  only  terms 
and  formulas,  but  proofs,  rewriting  contexts,  specifications,  etc.  In  developing  efficient  pro¬ 
grams  for  manipulation  of  symbolic  structures  it  is  important  to  be  able  to  express  sharing 
and  updating  optimizations  for  algorithms  and  to  have  a  clear  semantics  of  the  structures 
that  support  such  optimizations.  Binding  structures  together  with  the  work  on  equivalence 
of  programs  that  operate  on  mutable  data  are  a  first  step  in  this  direction. 

Drafts  of  a  full  version  of  the  binding  structure  paper  have  been  distributed  to  people 
involved  in  implementation  of  theorem  provers,  programming  environments,  and  program 
transformation  systems  (among  others)  in  order  to  get  feed  back  about  possible  deficiencies 
of  the  theory,  and  to  get  suggestions  for  additional  applications.  This  is  also  a  first  step  in 
starting  discussions  that  will  hopefully  lead  to  some  agreement  within  the  community  as  to 
sharable  data  structures,  and  a  common  basis  for  implementation  of  symbolic  manipulation 
programs. 
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2.  An  Exercise  in  Verification 

In  [1]  we  present  a  formai  verification  of  the  local  correctness  of  a  mutex  algorithm 
using  the  Boyer-Moore  theorem  prover.  The  formalization  follows  closely  an  informal  proof 
of  Manna  and  Pnueli.  The  proof  method  of  Manna  and  Pnueli  is  to  first  extract  from  the 
program  a  set  of  states  and  induced  transition  system.  One  then  proves  suitable  invariants 
There  are  two  variants  of  the  proof.  In  the  first  (atomic)  variant,  compound  tests  involving 
quantification  over  a  finite  set  are  viewed  as  atomic  operations.  In  the  second  (molecu¬ 
lar)  variant,  this  assumption  is  removed,  making  the  details  of  the  transitions  and  proof 
somewhat  more  complicated. 

The  original  Manna-Pnueli  proof  was  formulated  in  terms  of  finite  sets.  This  led  to  a 
concise  and  elegant  informal  proof,  however  one  that  is  not  easy  to  mechanize  in  the  Boyer- 
Moore  logic.  In  the  mechanized  version  we  use  a  dual  isomorphic  representation  of  program 
states  based  on  finite  sequences.  Our  approach  was  to  outline  the  formal  proof  of  each 
invariant,  making  explicit  the  case  analyses,  assumptions  and  properties  of  operations  used. 
The  outline  served  as  our  guide  in  developing  the  formal  proof.  The  resulting  sequence 
of  events  follows  the  informal  plan  quite  closely.  The  main  difficulties  encountered  were  in 
discovering  the  precise  form  of  the  lemmas  and  hints  necessary  to  guide  the  theorem  prover. 

The  complete  formal  proofs  (input  to  the  Boyer-Moore  prover)  appear  as  appendices. 
Some  comments  on  formalization  techniques,  difficulties,  and  alternatives  are  included  as 
comments  in  the  theorem  prover  input. 


3.  Surveys 

A  first  step  in  designing  a  architecture  for  formal  reasoning  and  other  symbolic  ma¬ 
nipulation  systems  is  to  survey  and  analyze  existing  systems  and  technologies.  Work  is  in 
progress  on  two  surveys:  one  of  existing  theorem  provers,  and  one  of  programming  environ¬ 
ment  kernels  and  tools.  In  both  causes  a  major  goal  is  analyzing  the  common  components 
that  implementations  could  share.  In  the  case  of  programming  environments  we  also  want 
to  determine  to  what  degree  existing  systems  support  sharing  and  interoperability,  and  what 
is  needed  to  make  the  mechanisms  more  widely  accepted.  As  part  of  the  theorem  prover 
survey  we  also  want  to  determine  capabilities  of  existing  systems  -  the  language,  logic, 
proof-theory,  proof-mechanisms,  means  of  interaction  with  a  user,  major  applications,  and 
e.xistence  of  tutorials.  The  resulting  data  is  intended  to  help  potential  users  find  the  sys¬ 
tem  that  best  meets  their  needs.  It  will  also  be  used  to  develop  requirements  for  general 
purpose,  mechajiized  reasoning  systems  capable  of  supporting  a  wide  range  of  non- trivial 
applications. 
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